How Breaking News Is Used To Plant Malware

Spear-phishing -- where emails lure readers or customers of trusted institutions to compromised websites -- has become one of the main tools fraudsters use to compromise endpoints inside financial institutions.

While the world's attention was recently focused on the Syrian crisis and the alleged use of chemical weapons, cyber-criminals were taking advantage of the situation. News seekers, eager to learn about the latest developments, the possibility of a U.S. strike and the diplomatic efforts to end the civil war, became easy targets. Using fake news alerts, cyber-criminals lured unsuspecting readers to malicious websites where their devices were infected with advanced, information-stealing malware.

In one such spear-phishing campaign, emails contained links that directed the reader to a legitimate website that had been compromised -- these sites are often called 'watering holes.' The compromised site contained malicious code that exploited a known Java vulnerability to silently download malware on the victim's machine using the now-familiar infection process known as a 'drive by download.'

Using breaking news to carry out phishing attacks is nothing new, but it is effective. That's because an email containing this type of information is more readily opened than one that claims to offer a unique investment opportunity or new weight loss product. In addition to breaking news, attackers will also exploit the name of trusted institutions to deliver malware.

For example, in July the FBI's Internet Crime Complaint Center and the Department of Homeland Security received complaints regarding a ransomware campaign using the name of DHS to extort money from unsuspecting victims. The scam directed victims to a download website where the Reveton malware was installed on their computers and attempted to coerce them into paying a fine to "unlock" the machine.

The Trojans installed in these cyber-attacks allow the criminals to capture log-in credentials and other sensitive information from the user's machine. This information is typically used to conduct financial fraud or an advanced targeted attack.

In August a hacker group called the Syrian Electronic Army (SEA) used a targeted phishing attack to steal credentials from a reseller for an Australian domain registrar. The stolen information was used to change the DNS (Domain Name System) records for several domain names, including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com. This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control.

Attack Methods

Spear-phishing attacks use two techniques to secretly install malware on end-user devices. The first embeds a link to a malicious website in the email message that either takes advantage of application vulnerabilities to secretly install malware in the background or entices the user to download a file that contains malware. The second technique embeds a file in the email message, usually a "weaponized document" that secretly installs malware when opened. Additionally, machines can be compromised when users visit legitimate websites that have been infected with malware installers or by installing legitimate-looking files that actually contain malware (Trojan horses).

Preventing these attacks is getting harder. Cyber-criminals are continuously sharpening their spear-phishing messages so they are more likely to be opened by users. Today, spear-phishing is one of the main tools used to compromise endpoints inside financial institutions. Once a machine is infected, an attacker can access information and has full control over the device. It can be used to commit financial fraud, or to gain a foothold within a corporate network. In fact, on June 25, 2013, the FBI issued a warning about the increase in the use of spear-phishing attacks to target multiple industry sectors.

Given the advancing sophistication and "believability" of phishing and especially spear-phishing attacks, end-user education no longer provides sufficient protection. Making sure that endpoint devices are properly patched to prevent the exploitation of vulnerabilities and drive-by downloads is essential. For stronger, more proactive protection, financial institutions should implement exploit prevention technologies that are now becoming available.